On March 9, 2022, the Securities and Exchange Commission ("SEC") proposed rules that would require public companies to make prescribed cybersecurity disclosures.1 The proposed rules would "strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting"2 by requiring:
(i). mandatory, material cybersecurity incident reporting, including updates about previously reported incidents; and
(ii). mandatory, ongoing disclosures on companies' governance, risk management, and strategy with respect to cybersecurity risks, including board cybersecurity expertise and board oversight of cybersecurity risks.
The proposed rules, if adopted, would codify and further expand on the SEC's previously issued interpretive guidance from 20113 and 2018,4 in which the SEC provided its views on how existing disclosure obligations would apply to cybersecurity risks and incidents, and how cybersecurity is a key element of enterprise risk management. The proposed rules also reflect the SEC's move toward a more prescriptive rule-making approach and away from the prior administration's principles-based approach. The public comment period for the proposed rules will remain open for 30 days following publication of the proposing release in the Federal Register or until May 9, 2022, whichever period is longer.
In explaining its approach to the proposed rules, the proposing release highlighted that current disclosures on cybersecurity risks and incidents remain "inconsistent, may not be timely, and can be difficult to locate." Given the increasing prevalence of cybersecurity incidents and attacks, as well as the significant impact such an attack may have on a company, the SEC believes "[c]onsistent, comparable, and decision-useful disclosures" would allow investors to better evaluate companies' "exposure to cybersecurity risks and incidents as well as their ability to manage and mitigate those risks and incidents."
The proposed rules evidence the SEC's continued focus on cybersecurity risk after several high-profile incidents and increasing cybersecurity attacks. In 2021, for example, the SEC charged at least two issuers with cybersecurity-related violations, demonstrating the shift to a more aggressive enforcement posture.5 6
Cybersecurity Incident Disclosure
The proposed rules would:
Add Material Cybersecurity Incidents as a Form 8-K Event. Proposed new Item 1.05 of Form 8-K would require companies to disclose information about a material cybersecurity incident within four (4) business days after the company determines that it has experienced a material cybersecurity incident.7 The proposed rule expands on the SEC's 2018 guidance, which, among other things, recommended issuers disclose cybersecurity incidents and risks that would be material to its investors prior to the offer and sale of securities.8 The Form 8-K would be required to include the following information, to the extent such information is known at the time of the filing:
- when the incident was discovered and whether it is ongoing;
- a brief description of the nature and scope of the incident;
- whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
- the effect of the incident on the company's operations; and
- whether the company has remediated or is currently remediating the incident.
The trigger for an Item 1.05 Form 8-K would be the date on which a company determines that a cybersecurity incident it has experienced is material, rather than the date of discovery of the incident, in order to focus the disclosure on incidents that are material to investors, and would not provide for a reporting delay for when there is an ongoing internal or external investigation related to a material cybersecurity incident.9 Consistent with the SEC's approach to certain other Form 8-K disclosure items requiring a company to make a rapid evaluation of materiality, failure to timely report under new Item 1.05 (i) would not impact Form S-3 eligibility and (ii) would be subject to the limited safe harbor from certain public and private claims under Section 10(b) and Rule 10b-5 of the Securities Exchange Act of 1934, as amended (the "Exchange Act"), which already applies to certain Form 8-K disclosure items.10
Similar to the 2018 Guidance, the proposing release clarifies that a company would not be required to publicly disclose "specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede [its] response or remediation of the incident."
Require Updates on Disclosed Cybersecurity Incidents. New Item 106(d)(1) of Regulation S-K would require companies to disclose any material changes, additions or updates to the information reportable under new Item 1.05 of Form 8-K in their quarterly report on Form 10-Q or annual report on Form 10-K, as applicable, for the period in which the material change, addition, or update occurred.11
Require Companies to Consider Whether Immaterial Incidents are Material in the Aggregate. Proposed Item 106(d)(2) of Regulation S-K would require companies to disclose, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate. Companies would be required to provide the same disclosure as in proposed new Item 1.05 of Form 8-K.
Risk Management, Strategy, and Governance Disclosure
The proposed rules would require enhanced and standardized disclosure on companies' cybersecurity risk management, strategy and governance. Specifically, the proposed rules would require disclosure of:
Cybersecurity Risk Management and Strategy. Proposed new Item 106(b) of Regulation S-K would require a company to disclose in its Form 10-K, as applicable, whether:
- it has a cybersecurity risk assessment program and if so, provide a description of such program;
- it engages assessors, consultants, auditors or other third parties in connection with any cybersecurity risk assessment program;
- it has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the company's customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
- it undertakes activities to prevent, detect, and minimize the effects of cybersecurity incidents;
- it has business continuity, contingency and recovery plans in the event of a cybersecurity incident;
- previous cybersecurity incidents have informed changes in its governance, policies and procedures, or technologies;
- cybersecurity-related risks and incidents have affected or are reasonably likely to affect its results of operations or financial condition and if so, how; and
- cybersecurity risks are considered as part of its business strategy, financial planning, and capital allocation and if so, how.
Cybersecurity Governance. Proposed new Item 106(c) of Regulation S-K would require disclosure in a company's Form 10-K of its cybersecurity governance, including the board's oversight of cybersecurity risks12 and a description of management's role in assessing and managing cybersecurity-related risks and in implementing the company's cybersecurity policies, procedures and strategies.13
Board Cybersecurity Expertise. Proposed new paragraph (j) of Item 407 of Regulation S-K would require disclosure in annual reports, annual meeting proxy statements and information statements on Schedule 14C if any member of the company's board of directors has expertise in cybersecurity, including the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise.
Proposed Item 407(j) does not define what constitutes "cybersecurity expertise." However, it does include a non-exclusive list of criteria that a company should consider in reaching a determination on whether a director has expertise in cybersecurity.
In order to alleviate liability concerns for board nominees who would qualify as cybersecurity experts, proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 liability, as a result of being designated or identified as a director with expertise in cybersecurity matters pursuant to proposed Item 407(j).
Inline XBRL Tagging
The proposed amendment would require companies to tag the information specified by Item 1.05 of Form 8-K and Items 106 and 407(j) of Regulation S-K in Inline XBRL in accordance with Rule 405 of Regulation S-T and the EDGAR Filer Manual, to allow investors and other market participants "to more efficiently perform large-scale analysis and comparison of this information across [companies] and time periods."
Application to Foreign Private Issuers
Periodic Disclosure. The proposed rules would amend Form 20-F to add Item 16J, which would require a foreign private issuer ("FPI") to include in its annual report on Form 20-F the same type of disclosure in proposed Items 106 and 407(j) of Regulation S-K. However, as FPIs are not subject to SEC rules for proxy or information statement filings, they would only be required to include this disclosure in their annual reports.
Incident Disclosure. The proposed rules would:
- Amend Form 6-K General Instruction B to add "cybersecurity incidents" as a potential reporting event. Further, where an FPI has previously reported an incident on Form 6-K, the proposed amendments would require an update in the company's Form 20-F regarding such incidents, consistent with proposed Item 106(d)(1) of Regulation S-K.
- Amend Form 20-F to require FPIs to disclose on an annual basis information regarding any previously undisclosed material cybersecurity incidents that have occurred during the reporting period, including a series of previously undisclosed individually immaterial cybersecurity incidents that has become material in the aggregate.
The proposed rules emphasize the SEC's focus on the area of cybersecurity and companies should look to strengthen their disclosure controls and procedures around cybersecurity incidents consistent with the SEC's 2011 and 201814 guidance and apparent focus in this area evidenced by its recent enforcement actions.
Public companies should evaluate whether to disclose material cybersecurity incidents in real time under Item 8.01 of Form 8-K, as well as continue to consider their obligation to disclose and provide updates on cyber risks and incidents in annual and/or quarterly reports as they relate to their risk factors, MD&A, description of business, legal proceedings and financial statement disclosures, especially if identified cyber risks have materialized.15 Companies should also ensure that cybersecurity is within the risk management framework of the board, audit committee or another board committee. In addition, companies should consider cybersecurity expertise at the board level, including whether a particular committee should have oversight over this area. Finally, in light of the potential need to disclose detailed information about cyber-related risks in the future, companies should continue to build out their cybersecurity programs to be robust and allow for rapid investigation and remediation of material breaches, as well as a clear reporting framework to enable the timely flow of information and through the proper reporting channels.
It is likely that both the SEC and Congress could propose more regulation in the cybersecurity space. For example, on March 9, 2022 and March 10, 2022, respectively, the US House of Representatives and the US Senate passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require owners of critical infrastructure to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency within seventy-two hours of reasonably believing that an incident has occurred.16 Owners of critical infrastructure will also be required to report ransom payments within twenty-four hours of after making such a payment.17 Companies should carefully monitor this space as it develops.
1 The proposed rules are available here.
2 See SEC Chair Gary Gensler's "Statement on Proposal for Mandatory Cybersecurity Disclosures."
3 See CF Disclosure Guidance: Topic No. 2- Cybersecurity (Oct. 13, 2011).
4 See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018) No. 33-10459 (Feb. 21, 2018) [83 FR 8166], and our prior alert, "SEC Issues Interpretive Guidance on Public Company Cybersecurity Disclosures: Greater Engagement Required of Officers and Directors."
5 These actions come on the heels of several high-profile hacks, including the Kaseya ransomware attacks and vulnerabilities arising from the hack of SolarWinds, both of which affected businesses across the globe. The Biden Administration and Congress have also focused on cybersecurity of late, especially as to critical infrastructure. In July of last year, the President signed a national security memorandum establishing the President's Industrial Control System Cybersecurity Initiative, a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021), available here.
6 See SEC Charges Issuer With Cybersecurity Disclosure Controls Failures, Press Release, (June 15, 2021); In re First American Financial Corporation, Order Instituting Cease-and-Desist Proceedings, Release No. 92176 (June 14, 2021) (charging a company with violating the disclosure controls and procedures provision, Rule 13a-15(a) of the Securities Exchange Act of 1934 ("Exchange Act"), for failing to ensure all available and relevant information concerning a cybersecurity vulnerability was considered for disclosure in the company's SEC filings); SEC Charges Pearson plc for Misleading Investors About Cyber Breach, Press Release, (Aug. 16, 2021); In the Matter of Pearson plc, Order Instituting Cease-and-Desist Proceedings, Release No. 92676 0 (Aug. 16, 2021) (charging a company with violating Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Exchange Act, and the disclosure controls and procedures provision, Rule 13a-15(a) of the Exchange Act, for making misleading statements concerning a data breach and failing to ensure all available and relevant information was considered for its disclosure in the company's SEC filings).
7 Form 6-K General Instruction B would be similarly amended to add "cybersecurity incidents" as a potential reporting event.
8 See Commission Statement and Guidance on Public Company Cybersecurity Disclosures at 11, Release No. 33-10459 (Feb. 26, 2018) No. 33-10459 (Feb. 21, 2018) [83 FR 8166].
9 The proposing release includes a non-exclusive list of examples of cybersecurity incidents that may, if determined by the company to be material, trigger the proposed Item 1.05 disclosure requirement: "An unauthorized incident that has compromised the confidentiality, integrity, or availability of an information asset (data, system, or network); or violated the registrant's security policies or procedures. Incidents may stem from the accidental exposure of data or from a deliberate attack to steal or alter data; [a]n unauthorized incident that caused degradation, interruption, loss of control, damage to, or loss of operational technology systems; [a]n incident in which an unauthorized party accessed, or a party exceeded authorized access, and altered, or has stolen sensitive business information, personally identifiable information, intellectual property, or information that has resulted, or may result, in a loss or liability for the registrant; [a]n incident in which a malicious actor has offered to sell or has threatened to publicly disclose sensitive company data; or [a]n incident in which a malicious actor has demanded payment to restore company data that was stolen or altered."
10 This limited safe harbor applies only to a failure to timely file a current report on Form 8-K—not to any other anti-fraud violation or failure to maintain disclosure and controls under the Exchange Act—and extends until the due date of the company's next quarterly report on Form 10-Q or annual report on Form 10-K, whichever comes first.
11 Proposed Item 106(d)(1) provides the following non-exclusive examples of the type of disclosure that should be provided, if applicable: "Any material impact of the incident on the registrant's operations and financial condition; [a]ny potential material future impacts on the registrant's operations and financial condition; [w]hether the registrant has remediated or is currently remediating the incident; and [a]ny changes in the registrant's policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes."
12 Specifically, as it pertains to the board's oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following: "Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks; [t]he processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and [w]hether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight."
13 Specifically, Item 106(c)(2) would require disclosure including, but not limited to,: "Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members; [w]hether the registrant has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant's organizational chart, and the relevant expertise of any such persons; [t]he processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and [w]hether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk."
14 See footnotes 3 and 4.
15 See Alphabet Secs. Litig., R.I., v. Alphabet, Inc., 1 F.4th 687 (9th Cir. 2021); cert. denied sub nom., 2022 US LEXIS 1338 (US March 7, 2022) (No. 21-594) (finding plaintiff shareholders adequately alleged misstatements because the company's Form 10-Q stated there were "no material changes" to its cybersecurity risk factor disclosure when the company was aware of a cybersecurity vulnerability). See our prior alert, "Time to Revisit Risk Factors in Periodic Reports."
16 Consolidated Appropriations Act of 2022, H.R. 2471, 117th Cong., Div. Y § 103 (2022).
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP